lbussell
commented
2 weeks ago Hi @skolima, please refer to the Image Update Policy for this. Currently, we only re-build images in response to base image updates and critical severity CVEs. As Chiseled is a "distroless" image, it has no base image that can be updated. NIST has no official CVSS score for CVE-2024-6119 yet, and I see a mix of medium and high scores from other reports. So we won't likely re-build images for this CVE alone.
The thinking is that consumers of these images would be able to apply updates themselves if they deemed their app susceptible to a specific vulnerability. That prevents too many unnecessary downstream rebuilds. However, Ubuntu Chiseled currently provides limited support for extending or updating images. There is ongoing work on the Ubuntu side to address this (tracked here and here). We're open to feedback on whether we need to change our approach for distroless images until we have better guidance for updating packages. I suspect we haven't got too many reports of non-critical CVEs in Chiseled images because the attack surface is fundamentally so much smaller.
Unrelated to all of that, you should expect images to be re-built tomorrow as part of Patch Tuesday. So be on the look out for an updated base image.
Describe the Bug
CVE-2024-6119 is fixed upstream but
-chiseledimages have not been updated.dotnet-sdkimages (non-chiseled) have been recreated after upstream released a fix and are no longer affected. Ubuntu CVE information: https://ubuntu.com/security/CVE-2024-6119Steps to Reproduce
Trivy/Aquascanner output
``` Vulnerability CVE-2024-6119 Severity: MEDIUM Package: openssl Fixed Version: 3.0.13-0ubuntu3.4 Link: [CVE-2024-6119](https://avd.aquasec.com/nvd/cve-2024-6119) Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", "markdown": "**Vulnerability CVE-2024-6119** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|openssl|3.0.13-0ubuntu3.4|[CVE-2024-6119]([https://avd.aquasec.com/nvd/cve-2024-6119)|](https://avd.aquasec.com/nvd/cve-2024-6119)%7C) Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. ```docker version
``` Client: Version: 27.2.0 API version: 1.47 Go version: go1.21.13 Git commit: 3ab4256 Built: Tue Aug 27 14:17:17 2024 OS/Arch: windows/amd64 Context: desktop-linux Server: Docker Desktop 4.34.1 (166053) Engine: Version: 27.2.0 API version: 1.47 (minimum version 1.24) Go version: go1.21.13 Git commit: 3ab5c7d Built: Tue Aug 27 14:15:15 2024 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.7.20 GitCommit: 8fc6bcff51318944179630522a095cc9dbf9f353 runc: Version: 1.1.13 GitCommit: v1.1.13-0-g58aa920 docker-init: Version: 0.19.0 GitCommit: de40ad0 ```docker info
``` Client: Version: 27.2.0 Context: desktop-linux Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.16.2-desktop.1 Path: C:\Program Files\Docker\cli-plugins\docker-buildx.exe compose: Docker Compose (Docker Inc.) Version: v2.29.2-desktop.2 Path: C:\Program Files\Docker\cli-plugins\docker-compose.exe debug: Get a shell into any image or container (Docker Inc.) Version: 0.0.34 Path: C:\Program Files\Docker\cli-plugins\docker-debug.exe desktop: Docker Desktop commands (Alpha) (Docker Inc.) Version: v0.0.15 Path: C:\Program Files\Docker\cli-plugins\docker-desktop.exe dev: Docker Dev Environments (Docker Inc.) Version: v0.1.2 Path: C:\Program Files\Docker\cli-plugins\docker-dev.exe extension: Manages Docker extensions (Docker Inc.) Version: v0.2.25 Path: C:\Program Files\Docker\cli-plugins\docker-extension.exe feedback: Provide feedback, right in your terminal! (Docker Inc.) Version: v1.0.5 Path: C:\Program Files\Docker\cli-plugins\docker-feedback.exe init: Creates Docker-related starter files for your project (Docker Inc.) Version: v1.3.0 Path: C:\Program Files\Docker\cli-plugins\docker-init.exe sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.) Version: 0.6.0 Path: C:\Program Files\Docker\cli-plugins\docker-sbom.exe scout: Docker Scout (Docker Inc.) Version: v1.13.0 Path: C:\Program Files\Docker\cli-plugins\docker-scout.exe Server: Containers: 1 Running: 0 Paused: 0 Stopped: 1 Images: 7 Server Version: 27.2.0 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 nvidia runc Default Runtime: runc Init Binary: docker-init containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353 runc version: v1.1.13-0-g58aa920 init version: de40ad0 Security Options: seccomp Profile: unconfined cgroupns Kernel Version: 5.15.153.1-microsoft-standard-WSL2 Operating System: Docker Desktop OSType: linux Architecture: x86_64 CPUs: 32 Total Memory: 15.5GiB Name: docker-desktop ID: 89a001b3-8488-4d8b-8c25-5c23b6facab0 Docker Root Dir: /var/lib/docker Debug Mode: false HTTP Proxy: http.docker.internal:3128 HTTPS Proxy: http.docker.internal:3128 No Proxy: hubproxy.docker.internal Labels: com.docker.desktop.address=npipe://\\.\pipe\docker_cli Experimental: false Insecure Registries: hubproxy.docker.internal:5555 [127.0.0.0/8](http://127.0.0.0/8) Live Restore Enabled: false WARNING: daemon is not using the default seccomp profile ```